up
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Signals CI & Image / signals-ci (push) Has been cancelled
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Policy Simulation / policy-simulate (push) Has been cancelled
SDK Publish & Sign / sdk-publish (push) Has been cancelled
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
devportal-offline / build-offline (push) Has been cancelled
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Signals CI & Image / signals-ci (push) Has been cancelled
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Policy Simulation / policy-simulate (push) Has been cancelled
SDK Publish & Sign / sdk-publish (push) Has been cancelled
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
devportal-offline / build-offline (push) Has been cancelled
This commit is contained in:
StellaOps Bot
20
docs/security/secrets-handling.md
Normal file
20
docs/security/secrets-handling.md
Normal file
@@ -0,0 +1,20 @@
|
||||
# Secrets Handling (Orchestrator additions)
|
||||
|
||||
Last updated: 2025-11-25
|
||||
|
||||
## Principles
|
||||
- Secrets are stored in Authority and referenced via `secretRef`; services never persist raw secrets.
|
||||
- No secrets in logs, traces, metrics, crash dumps, or health endpoints.
|
||||
- Offline/air-gap: secrets are delivered through sealed bundles and loaded at startup only.
|
||||
|
||||
## Orchestrator-specific rules (DOCS-ORCH-34-002)
|
||||
- Plugin steps receive secrets via `secretRef`; workers fetch at step start and keep in-memory only for the step scope.
|
||||
- Secrets are not written to the run ledger, artifacts, or NDJSON exports; only `secretRef` identifiers may appear.
|
||||
- Network egress is deny-by-default; allowlists must reference `secretRef`-protected credentials when needed.
|
||||
- Cancellation and retries must not log or surface secret material; redaction applies to all error paths.
|
||||
|
||||
## Audit checklist
|
||||
- [ ] Every plugin configuration uses `secretRef`, not inline values.
|
||||
- [ ] Logs/traces verified to contain no secret payloads (redaction tests).
|
||||
- [ ] Run ledger verified to store hashes/refs only.
|
||||
- [ ] Secret refresh/rotation tested (Authority + worker reload).
|
||||
Reference in New Issue
Block a user